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We give a comprehensive and constructive proof of the no- 
go theorem of a bit commitment given by Mayers, Lo, and 
Chan from the viewpoint of quantum information theory. It 
is shown that there is a trade-off relation between information 
acquired by Bob during the commitment phase and the ability 
to change a commit bit by Alice during the opening phase. 
It is clarified that a protocol that is unbiased to both Alice 
and Bob cannot be, at the same time, secure against both 
parties. Fundamental physical constraints that govern this 
no-go theorem are also discussed. 



I. INTRODUCTION 

In brief, a bit commitment (BC) is the following task 
that is executed in two steps ((a) and (b) below) by two 
mistrustful parties, a sender, Alice, and a receiver. Bob. 

(a) Commit phase (C-phase): Alice chooses a bit (6 = 
or 1) and commits it to Bob. That is, she gives Bob a 
piece of evidence that she has a bit 6 in mind and that 
she cannot change it (in this case, the commitment is 
said to be binding). Bob cannot learn the value of the 
committed bit from that evidence until Alice reveals fur- 
ther information (in this case, the commitment is said to 
be concealing). 

(b) Opening phase (0-phase): At a later time, Alice 
opens the commitment. That is, she tells Bob the value 
of 6 and convinces him that it is indeed the genuine bit 
that she chose during the C-phase. If Alice changes the 
value, it can be discovered by Bob. 

A BC is an important cryptographic primitive with 
many applications in more sophisticated tasks and is of 
great theoretical and practical interest. Current classical 
BC protocols are proven secure by invoking some un- 
proven computational assumption; that is, complexity of 
some kind of mathematical problems such as the hard- 
ness of factoring large integers. After the invention of the 
quantum computing algorithm that makes the computa- 
tional assumption totally invalid, it has been brought 
to many researchers' attention whether there exists a 
BC protocol that is guaranteed secure solely by physi- 
cal principles. In recent years, Mayers, Lo, and Chau 
have proven that an unconditionally secure BC is im- 
possible (no-go theorem for a BC) under the standard 



nonrelativistic assumption, [yg] However, although their 
discussions are quite correct, their proofs are a bit formal 
and nonconstructive. It is not yet clear what prevents us 
from implementing the unconditionally secure BC pro- 
tocol. In this paper, we give a constructive proof of the 
no-go theorem for a BC that would make things more 
transparent and convincing from the viewpoint of quan- 
tum information theory. We clarify why quantum me- 
chanics does not help a quantum BC protocol to achieve 
more than a classical one does. 



II. MODEL AND FORMULATION OF THE BIT 
COMMITMENT PROTOCOL 

First, let us consider an honest protocol. The most 
important point concerning the BC protocol is that Alice 
needs to unveil a value of 6 in the 0-phase consistently 
with information transmitted in the C-phase. From the 
information-theoretic point of view, this implies that one 
bit of classical information should be transmitted from 
Alice to Bob at the end of the protocol. Therefore, when 
we set Ic and lo as the amounts of information in a bit 
transmitted in the C-phase and 0-phase, the following 
identity holds: 



/c + /o = l. 



(1) 



Namely, the BC protocol is essentially a split transmis- 
sion of one-bit information in two temporally separated 
steps: one in the C-phase and the other in the 0-phase. 
Only a fraction of the bit information needs to be trans- 
mitted in each step. Noting this fact, we can formulate 
the quantum BC protocols reported so far |^-^ as fol- 
lows. 

In order to demand unconditional security, Alice re- 
veals to Bob quantum information as a piece of evidence 
of her commitment by transmitting a system, such as a 
photon or an electron, in the C-phase. In the 0-phase, 
she reveals to Bob classical information which consists of 
the value of b and the measurement basis on the system. 
Finally, Alice and Bob test the consistency between the 
reported value of b and the measurement results of the 
system. 

According to the quantum description of the proto- 
col involving classical communication suggested by Tal 
Mor, let subsystem B (Bob's system) be the system with 
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arbitrary dimensional state space Hb that carries quan- 
tum information in the C-phase and subsystem A (Al- 
ice's system) be the system with arbitrary dimensional 
state space Ha that carries classical information in the O- 
phase. Let be the genuine states of the joint sys- 
tem AB to be prepared by Alice according to her choice 
of b. Then, Eq. (|l|) is equivalent to the condition that 

AO 

Hab ^ Ha<Si Hb\ i.e. 



and Xi^ are orthogonal in the joint Hilbert space, 





Tta 








= Tta 







(7) 



are orthogonal on Hb] i.e., Pq pf ~ Pi Pa = 0. The 
forms of Pq and pf can be freely chosen in the protocol 
and various complex forms have been proposed to pre- 
vent cheating of both parties, but the concrete forms are 
irrelevant to the subject in the following discussion. 



AB AB AB AB 

Xo Xi =Xi Xo 



0. 



(2) 



Here, to avoid confusion throughout this paper, we use 
superscripts to denote the appropriate state space for a 
state or an operator. According to the protocol, by trans- 
mitting a subsystem B to Bob, Alice reveals, in general, 
nonorthogonal marginal states 



Pb TrAxi 



(3) 



(& = or 1) in the C-phase. It is proven in Appendix A 
that from condition (|^), we can always find two mutually 
orthogonal purifications lipf^) of pj^ in the orthogonal 
subspace in which the support of the state xt^ ^i^^. Any 
set of two orthonormal states in Hab should be repre- 
sented by two orthonormal states in the two-dimensional 
subspace AI spanned by {jO"^^) , in Hab- Fur- 

thermore, any such subspace M can be defined by a set 
of two orthonormal states in Hab- 







,'A 



=^/3|6'^)|6^), 



(4) 



with an appropriate choice of two sets of orthonormal 
states {[a''^) and {\b'^) \b^)} and coefficients a 

and /3, where { { |a'^) } , { l^'-^)} } ({{|«^)} . {|&^)}}) 

makes up a Schmidt basis for Ha {Hb)- Therefore, 
given a set of the mutually orthogonal purifications 
{jV'o^^) 1 1^1^^)} in Hab, we can always find the follow- 
ing form of Schmidt decomposition P 



IV-^^) = COS 61 1 0^^)+ sin 61 1 1^^), 



sin 6*10'^'^) 



cos0|l^^), 



(5) 



by choosing appropriate Schmidt coefficients and absorb- 
ing any phase factors in the definition of the bases. As 
a result of Eqs. (^) and (^), the marginal states Pq and 
pf are commutable and diagonalized simultaneously by 
Schmidt basis as 



p^^TrA\^^^){^n 
pf^TrA\^r){^n 



cos 



5r 



sm 



cos 



5f, 
5f, 



(6) 



where Tta denotes a partial trace over subsystem A, and 
two states 



III. CHEATING STRATEGIES 

According to the model given in Sec||, we will evaluate 
the performance of Alice's and Bob's cheating. 



A. Bob's cheating 

The purpose of Bob's cheating is to obtain as much 
information as possible about b during the C-phase from 
the marginal states pf . In the following, the amount of 
available information about b for Bob during the C-phase 
is evaluated as a measure of his cheating performance. 

From the protocol agreed by Alice and Bob, the states 
X^^ to be prepared by Alice are known to them. There- 
fore, Bob can calculate the Schmidt bases, {|a'^)} and 
{[fe'^)}, that diagonalize the marginal states pf and pf 
beforehand. Bob can perform an optimal measurement 
for distinguishing pf and pf by making use of the orthog- 
onality between pf and pf . To describe a measure of the 
available information about b for Bob from pf , consider 
the fidelity between pf and pf . QJl^ It is given by 



F{pf,pf) = TrB^{pfY'%f{pfY'\ 



(8) 



Noting that pf and pf are orthogonal, we can calculate 



{pf f'^ from Eq. 



as 



{p?r 



(9) 



in the representation in which pf and pf are diagonal. 
Therefore, Eq. gives 



F{pf,pf^ 



\sm2e\TrB{pf + pf) ^\sin20\. (10) 



The smaller the fidelity is, the more Bob can distin- 
guish between pf and pf correctly; therefore, he can 
gain more information about b. To confirm this, we con- 
sider the quantum error probability which gives the lower 
limit of error rate for distinguishing pf and pf . p^-p^] 
It is given as 



iBob/„B B 



1 1 



{pf,pf) = 7;--TrB\pf-pf 



(11) 
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Noting again that and pf are orthogonal, it follows 
from Eq. (||) that 



p^-pf = cos2d {p^-pf 



B 'B\ 



(12) 



in the representation in which Pq and pf are diagonal. 
Thus, it follows that 



pBob, B B^ 



1- |cos20| _ i-y'^-iPipo^p?)) 



(13) 

Let us now introduce distinguishability between Pq and 
pf as 



D{p^,pf) = P-T Perr" = ^TrB | - pf 



(14) 



Then, the larger the distinguishability is, the more Bob 
can distinguish between pQ and pf correctly. Thus, the 
distinguishability gives a measure of the available infor- 
mation about b for Bob from pf . It is easily seen that 
Fipf,pf) and D{pf,pf) satisfy 



{Fipf,pf)y + {Dipf,pf)y^l. 



(15) 



Therefore, there is a trade-off relationship between 
P{pf^pf) and D{pf,pf); that is, the smaller F{pf,pf) 
is, the larger D{pf,pf) is and the more correctly Bob 
can distinguish pf and pf , and vice versa. 

Let us turn to the information-theoretic measure of 
available information for Bob. Mutual information be- 
tween the value of genuine b and the value of b that is 
judged from the measurement of pf and pf is an appro- 
priate measure from the viewpoint of information theory. 
When Alice chooses the value of commit bit b between 
and 1 with equiprobability, this measure depends only 
on pf and pf and is given by 



I^''\pf,pf) = l-H{Pf^f{pf,pf)\ 



(16) 



where H{p) = — plogjp— (l—p) log2(l— p) is an entropy 
function (in bit). 



B. Alice's cheating 

The purpose of Alice's cheating is to unveil her commit 
bit b at her will in the 0-phase while ensuring unveiled 
b does not conflict with Bob's measurement of his sub- 
system B revealed by her during the C-phase. From the 
agreed protocol, Alice can calculate the purification given 
in Eqs. (||) and (^) beforehand. 

In the following, her ability to change the commit bit is 
evaluated for two known cheating strategies as a measure 
of her cheating performance. 



1. Mayer's strategy 



This is a strategy which was first proposed by Mayers. 
[|l| Alice honestly reveals either pf or pf in the C-phase 
by transmitting subsystem B of the joint system AB pre- 
pared in the arbitrary purification associated to either pf 
or pf . In the 0-phase, by a local unitary operation on 
subsystem A in her hand, she can change the joint state 
into any purification \ of her chosen pf that satisfies 



Pb 



and 



B „B 



(17) 



(18) 



where 5 = 6 © 1. HJTll Then, according to her necessity, 
she changes the joint state into the fake states. 



l^^"") =-cos0|O^^)-fsin0|l^^), 



14" 



-4^) -sinelO^^) 



cos^lL^^V 



(19) 



Here, the state 



saturates the upper boimd of 
in Eq. ( |1§| ) and is most parallel to the state 
||ll| She tells Bob the basis to be used for his 
measurement on subsystem B that is found from her pro- 
jection measurement of subsystem A by an appropriate 
basis {|e^)}. Bob performs projection measurement on 
his subsystem B according to her instruction and checks 
her commitment from the consistency between the value 
of b that is unveiled by Alice in the 0-phase and his mea- 
surement results. 

The fake state given in Eq. ( |19[ ) is optimal 

in Mayer's strategy. To confirm this, we consider the 
probability P^^'^'^ that Alice causes and Bob finds an 
inconsistency between the unveiled value of b and Bob's 
measured data. It is proven in Appendix B that P^^''"'' 
is zero when Alice prepares the genuine state or the 
purification and 



TjAlice \, 1 
err — 



\w\^n\ 



(20) 



when she prepares the fake state 

l,AB- 



holds if and only if |V'|^^) lies in the subspace M spanned 
by a set of orthonormal states { | O'^'^ ) 
Eq. M) to Eq. (poh yields 



where equality 
ace A 
1^^)}. Applying 



pAlice ^ -j^ 



{Pipf,P?)) 



M e 



/ B B\ 



(21) 



The state lipi^) in Eq. ( p^ yields the lower bound 
Pu'erripEiPi) ^r thc probability P^^^"" that depends 
only on pf and pf . Therefore, thc fake states in Eq. 
( |T9| ) give the least possibility of disclosing her cheating 
to Bob and they are optimal for this strategy. The lower 



limit P, 



Alice 
M err 



{Pf.pf) 



is a convenient measure of Alice's 



ability to change her commitment in the 0-phase. 
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It should be noted that Mayer's strategy is asymmet- 
ric with respect to the value of b that Alice unveils in 
the 0-phase. For example, consider Alice reveals in 
the C-phase. Then, if she unveils 6 = honestly in the 
0-phase, Bob's measured data on his subsystem B is per- 
fectly consistent with her disclosure and P^^'^'^ is zero. 
Conversely, if she wants to unveil 5=1, she can cheat 
Bob successfully with the probability 



^Me;.(Po,Pf)=COS^20 



(22) 



by preparing the fake state 
are used to derive Eq. 



Here, Eqs. (|To|) and 
3). Thus, the lower limit 



^M^erriPo ' Pi) dcpcuds On b that AHce unveils in the O- 



phasc. It should be further noted that PM^erriPo^Pi) > 
1/2 if F{p^,pf ) < 1/a/2. This means that Mayer's strat- 
egy can be applicable only when F{pQ,pf) — |sin20| > 
I/V2. 

Now let us turn to the information-theoretic measure 
of Alice's cheating performance. Let I^^'^'^ be mutual 
information between the value of b that Alice unveils and 
the value of b that Bob judged from his measurement on 
his subsystem B in the 0-phase. Taking into account the 
asymmetry noted in the previous paragraph, we get the 
upper bound of I^j^'^'^ as a function only of and as 
follows: 



'{P^.pf 



= + o{l-H{P^lT;r. 



(Po,pf))}- (23) 



Here, Im \Po ^ Pi ) considered to be a good 
information-theoretic measure of Alice's ability to change 
her commit bit for this strategy. 



l^o"") -(|0^^) + |l^^))/x/2, 
IV^D =-(|0^^)-|l-4^)) 



(26) 



Here, jV'h'^^) saturates the upper bound of {^'t'^li'b'^} 
in Eq. (25) and is the most parallel to the state 
pT[ She tells Bob the basis to be used for his measure- 
ment on subsystem B that is found from her projection 
measurement on her subsystem A by an appropriate ba- 
sis { I e^^ } . Bob performs projection measurement on his 
system according to her instruction and checks her com- 
mitment from the consistency between the value of b that 
is unveiled by Alice in the 0-phase and his measurement 
results. 

It can also be proven from Appendix B that the lower 
bound PhkItApE ^ Pi) of t^ie probabihty P^^^"" in this 
strategy depends only on p^ and pf , and it is given by 



pAlice 
^HK err 



(p^,pf) = l-(F(pf,p 



S)^2 ^ l-F{p^,pf) 



(27) 



The states in Eq. ( [2^ ) yield the lower bound 

PHx'erripE T Pi)- Thcrcforc, they are optimal for this 
strategy. The lower limit PHK^^'erriPo ^ Pi) gives a con- 
venient measure of Alice's ability to change her commit- 
ment in the 0-phase. 

In contrast to Mayer's strategy, Hardy-Kent's strategy 
is symmetric with respect to the value of b that Alice 
unveils in the 0-phase. The lower limit Pn'K^rriPo t Pi) 
is independent of her disclosure of b. The upper bound of 

for Hardy-Kent's strategy 
{Pa,Pi) as 



the mutual information I^^jf^ 
is written in terms of Pn'Rerr 



2. Hardy-Kent's strategy 

This is a strategy which was first given by Koashi 
and Imoto in the context of quantum key distribution 
I psf , but later applied to the BC protocol by Hardy 
and Kent. |^ According to this strategy, Alice reveals 
p^ = {pq + pf ) /2 in the C-phase by transmitting the 
subsystem B of the joint system AB prepared in the ar- 
bitrary purification of p^ . When she unveils her commit- 
ment in the 0-phase, she can change the joint state into 
any purification \'ipf^) of p^ satisfying 



and 



0<W\^r)<F{pE: 



(24) 



(25) 



by performing a local unitary operation on her subsystem 
A. Then, according to her choice of b, she changes the 
joint state into the fake state, for example, so that when 
0<9 < tt/2, 



T Alice 



{pI^Pi' 



1 



TT/pAlice ( „B „B\ 
\^HK err\ 



^(Po^pf)), 



(28) 



which is considered to be a good information-theoretic 
measure of Alice's ability to change commit bit 6 in this 
strategy. 

To compare the cheating performances of Alice 
and Bob for both Mayer's and Hardy-Kent's strate- 
gies, we plot the three information theoretic measures 
I^'"'{pE,P?), /i^'-^(pf ,pf), and I^'ripE,p?) in Fig. 
|l| as a function of the fidelity F(p^, pf ) chosen as a com- 
mon parameter. This figure clearly shows that there is 
a trade-off relationship between Bob's available informa- 
tion in the C-phase (/^°''(p^, pf )) and Ahce's abihty to 
change commit bit b in the 0-phase {if^^'^'^iPo , pf))- It 
is clear that the sum is bounded; i.e.. 



3obi R 



(Po-,pf) + /^'-(p«,pf)<l 



B „B\ 



(29) 



(for i = M,HK). This equation is a direct consequence 
of Eq. (p^), showing a trade-off relationship between the 
distinguishability D{pq , pf), a measure of Bob's infor- 
mation gain in the C-phase, and the fidefity F(p^,pf ), 
a measure of Alice's ability to change commit bit in the 
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FIG. 1. Three information-theoretic measures 
I (Po,Pi), hi (Po.Pi). and /^^ (Po , Pi ) are plot- 
ted against fidehty F{pQ,pf). Entropy of entanglement 
E (I'i^b*^)) is also plotted for reader's information. 

0-phase. Therefore, there is a trade-off in the perfor- 
mance of Alice's and Bob's cheating. Figure ^ also shows 
that Hardy-Kent's strategy is superior to Mayer's with 
respect to ability to change commit bit b when the value 
of ^^(p^,pf) is large. 

IV. DISCUSSION 

A secure BC protocol must not allow cheating by ei- 
ther parties, Alice or Bob. To satisfy this condition, both 
I {Po,P?) and (pf , pf) should vanish simultane- 
ously. However, Fig. |l| indicates that this requirement 
is never satisfied because of the trade-off relationship 
between I^°\p^,pf) and if^^'^p^ , pf). In addition, 
even if we choose a balanced condition for both parties, 
Fip^,pf) ~ I/V2, both I'"'\p^,p?) and /^"-(Po^, pf ) 
are already large enough. Therefore, it is concluded that 
a law of quantum physics does not help to improve the 
security of the BC protocol. 

As already proven generally by Mayers, Lo, and Chau, 
this conclusion should be valid not only for the partic- 
ular cheating strategies described in this paper but also 
for any strategies that Alice and Bob can choose. To 
understand this conclusion, consider the entropy of en- 
tanglement (or entanglement in brief), which is known to 
be a unique measure of the amount of entanglement for 
the pure state. Entanglement of the purifica- 

tion I'i/'b^^) is defined as the von Neumann entropy of the 
marginal state pf of or equivalently as the Shan- 



non entropy of the squares of the Schmidt coefficients of 
IV'^^). From Eqs. (|), (§, (|l|), and (|l|), it is easily 
calculated as 

i?(|0)-^(pf)=l-^''°UVf)- (30) 

Here, it should be noted that /^°''(p^,pf ) is equivalent 
to maximum information Ic available from p^ that is 
transmitted from Alice to Bob in the C-phase; that is, 

/,=/^°^p^,pf) = i-i?(i^r))- (31) 

Applying Eqs. (|l|) and (|2|) to (^, we obtain the in- 
equality, 

I^''^^{p^,P?)<E{yj^^))=I,. (32) 

This inequality implies two things. First, the per- 
formance of Alice's cheating, when it is measured by 
//^'*'^'^(p^, pf ), is bounded by the entanglement of the 
purification E (j^/;^^)), which is determined only by its 
marginal state pf (see Eq. (|30|)). Second, it is also 
bounded by the amount of information Iq that is revealed 
in the 0-phase. 

These implications are reasonable for the following rea- 
son. When Alice wants to cheat Bob, what she can do 
is restricted to local operation and measurement on the 
subsystem A in her hand after she has revealed pf by 
transmitting the subsystem B. It is known to be a fun- 
damental law of quantum information processing that 
entanglement cannot be increased if we are allowed to 
perform only local operations and subselection on the 
subsystem of a joint system. In this restricted situa- 
tion, the best she can do to cheat is use the local unitary 
operation that conserves the entanglement shared in the 
joint system and keeps the marginal states p^ unchanged. 
Otherwise, the strategy must be by far an optimal one 
because a fraction of the entanglement must be lost from 
the joint system and dissipate into the environment dur- 
ing the local operation. Under such circumstances, Alice 
can change the information content encoded only in the 
relative phase between coefficients of each term in the pu- 
rification \'ip^-^'^, but she cannot change the information 
content encoded in their absolute values. It is the en- 
tanglement resource that is responsible for Alice's cheat- 
ing, and there is no cheating strategy that can break the 
bound given by entanglement E (1^^^^)) as shown in Eq. 
(^). In addition, it is also reasonable that only partial 
information that is to be revealed in the 0-phase can 
be used for Alice's cheating but the partial information 
already revealed in the C-phase cannot. Conversely, we 
must be aware that Alice makes use of partial informa- 
tion that is reserved to be revealed in the 0-phase as an 
entanglement resource for cheating. 

It is worth noting that the present proof can be re- 
garded as a concrete example of the general proof of the 
no-go theorem for a zero-knowledge-convincing protocol 
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recently given by Horodecki et al. [Q Our proof clearly 
indicates that if Alice wants to convince Bob that she 
has a definite value of a commit bit (which is, of course, 
classical information) in mind in the C-phase, the infor- 
mation provided by her to him in the C-phase has to 
carry nontrivial information about the commit bit in her 
mind. If the information revealed in the C-phase is in- 
dependent of her commit bit, Alice can always try to 
cheat by proposing the test which would give some result 
with certainty and independently of her commit bit in the 
0-phase. Our proof suggests an information-theoretic 
ground for the no-go theorem of the zero-knowledge- 
convincing protocol. Namely, any protocol with a test 
message that convinces Bob that Alice knows some state 
(j) (which is, in general, quantum information), the test 
message has to carry non-zero information about state (fi 
to prevent Alice's cheating. 

The present proof implies that the conjecture of May- 
ers about two-party secure computation, which states 
that the symmetric protocol might be possible whereas 
the asymmetric tasks, such as unidirectional secure com- 
putations, would be impossible, is correct. In the uni- 
directional two-party computation, which allows only one 
of the two parties to learn the result, both members of the 
party can be a cheater and security requirements for both 
members are incompatible. Such unidirectional protocols 
under the standard nonrelativistic assumption are neces- 
sarily insecure. We believe that unidirectional quantum 
communication does not achieve more than classical com- 
munication alone in the two-party model. However, it has 
not yet been proven that no non-trivial cryptographic 
tasks in the two-party model using bidirectional quan- 
tum communication are unconditionally secure. Indeed, 
there are some proposals on the quantum protocols for 
non-trivial weaker tasks in two-party bidirectional quan- 
tum communication such as quantum coin-tossing ||l9| ] 
and quantum gambling. ||20|| It will still be important to 
solve the general problem concerning what is possible and 
what is impossible in two-party secure computation when 
unprovcn computational assumptions are abandoned. 

V. CONCLUSIONS 

In conclusion, we have given constructive proof why an 
unconditionally secure quantum BC is impossible in the 
light of quantum information theory. The BC protocol 
is in essence the protocol in which one-bit information is 
split and revealed in two temporally separated steps: the 
C-phase and the 0-phase. It ensures only a fraction of 
the bit information is revealed at a time. In the quantum 
BC protocol, increasing the information revealed in the 
C-phase is to Bob's advantage; conversely, increasing the 
information revealed in the 0-phase makes things to Al- 
ice's advantage. This situation is similar to the classical 
protocol. Furthermore, the protocol that is unbiased to 



both Alice and Bob is not secure for both. Therefore, it 
is impossible to design a BC protocol whose security is 
established solely on the law of quantum physics. 

In addition, it has been clarified that, Alice can make 
use of the entanglement resource, which is equal to the 
amount of information reserved to be revealed in the O- 
phase, to cheat. To prevent Alice's cheating, the informa- 
tion revealed in the C-phase must depend on her commit 
bit, and it must inevitably carry non-zero information 
about her commitment. It can be concluded that quan- 
tum mechanics itself makes designing an unconditionally 
secure BC protocol impossible. 

APPENDIX A: A PROOF OF EXISTENCE OF 
MUTUALLY ORTHOGONAL PURIFICATIONS 

OF pf 

Suppose that the states xt^ (^ = 0, 1) of joint sys- 
tem AB that is to be prepared by Alice are mutually 
orthogonal on the joint space Hab = Ha 'S) Hb', i.e., 

Xo^^xr = ^Xo^^ = 0. (Al) 

Because Xo^ and xt^ commute, they can be diago- 
nalized simultaneously in terms of orthonormal bases 
{|e^^)} and {|/^^)} in Hab as follows: 

xf^=E^/IO(/^''l' (A2) 

where and {|/'^'^)} are mutually orthogonal; 

i.e., (e-4S|/-4S) = (/^^|e^^) = 0, and {Ae} and {A;} 
are sets of real eigenvalues oixt^ satisfying < Ae, A/ < 
1 and X;^e = E^/ = 1- Thus, Xo^ and xf^ have 
orthogonal supports in Hab- Marginal states revealed 
by Alice to Bob in the C-phase are commutable and, in 
general, nonorthogonal states. Using this representation, 
we can write them as 

p^=TrAX^^ = Y^X^TrA\e^^){e^^\, 

pf = TMxf^ -T^^fTrA 1/-^^) (/^^l . (A3) 

Now, we consider mutually orthonormal states \ipo^) 
and {{iPo^Hi^) = 0) that lie in the subspace 

to which Xo^ and xt^ belong respectively; i.e.. 

Then, the marginal states for them are 
TrA li^n W\ = E \-<^\"TrA \e^^) (e^^| 

+ EceC:,Tr^|e-4^)(e'^«|, 
TrA li^n ii^t^'l = E \^f\"TrA \f^^) {f^^\ 

+ Y,Cfc},TrA\f^^){f'^^\. (A5) 
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Because the states of subsystem A represent the classical 
information transferred from Alice to Bob in the 0-phase, 



when Alice prepares an honest state xt^ ■ Alice projects 
her subsystem A of the joint system AB prepared in 



different states |e^-^) ^ |e'^^) and j/'^^) 7^ \f'^^) are onto a state \ef-) among the complete orthonormal basis 



orthogonal on the subspace Ha- Therefore, 



0. (A6) 



By noting that the second terms in Eq. ( A5) vanishes, it 
is concluded that by choosing Ce and c/ so that 

A/ = |c/|', (A7) 

it is always possible to obtain mutually orthogonal purifi- 
cation I V'jf of p^^ in the subspace in which the support 
of the state Xb^^ lies. 



APPENDIX B: PROBABILITY THAT BOB 
DETECTS ALICE'S CHEATING 

Suppose that the state of subsystem A is measured to 
be \ef) when A of the joint system AB prepared in the 
state li'b^) (i^^^l is subjected to projection measure- 
ment by the orthonormal basis {|e/)} for Ha- Accord- 
ing to general results of quantum measurement theory, 
the state of the subsystem B is projected onto the pure 
state 



pf(|e/)) = 



From Eqs. (|^) and (^, it is easily seen that 



j 

AB\ 



-(0^^|e/)(e/|0^^)). (B2) 

Therefore, we find that, if and only if the basis { |e^) } is 
chosen so that the overlap between |e^) and |0'^^) and 
that between \e^) and arc the same, i.e., 



(0--|e/)(e/|0--) = (l-^-|e/)(e/|l--) 



(B3) 



the states Pq {\ef)) and pf {\ef)) become mutu- 
ally orthogonal. In the quantum BC protocol, Al- 
ice and Bob agree to use the measurement basis 
{pq [\ef)) , pf [\ef))} on subsystem B that has a one- 
to-one correspondence to a state \ef-) on A through the 
joint state \tpf^) {"^P^^l- She reveals to Bob the mea- 
surement basis {Po {\^f)) T Pi {\^f))} associated with 
her state in the 0-phase, and he measures his sub- 
system B by this basis. 

Now, we consider the probability P^^'^'^ that Alice 
causes an inconsistency between the value of b that is 
unveiled by her in the 0-phase and Bob's measured data 



(h/)} ^'^^ space Ha- She can perform such a projection 
on her subsystem at her own free will. Correspondingly, 
the state of Bob's system is projected to be 







4) 


TrB {ef 







(B4) 



Here, from Appendix A, the states [i/'f, 



satisfy 



(r^ 



AB 



{^4 



(B5) 



Then, we obtain the identity p?, (|e^)) — pb {^ef-")). This 
identity implies that if Bob follows Alice's instruction and 
measures his system by the measurement basis given by 
her, the value of b unveiled by Alice in the 0-phase is 
perfectly correlated with Bob's measurement result, no 
matter what Alice prepares \tp^^) {fp^^\ or Xb^- There- 
fore, if Bob is honest enough to follow Alice's instruction, 
the probability P^''^'^'' that Bob finds an inconsistency in 
his data vanishes if Alice prepares (i'b^] or x^^. 

Consequently, Alice can transmit one bit of classical in- 
formation to Bob with certainty. 

Next, we consider the probability P^^'^'^ when Al- 
ice prepares a fake state |V'^'^) that lies in joint space 
Hab- When the joint system AB prepared in the state 
(Bl) l"*!^^^) {'4'^^\ is subjected to the projection measurement 
by using the orthonormal basis {|e^)} for Ha and the 
result is \ef), the state of the subsystem B is projected 



onto the pure state 



TrB {ef\^^^){^^^\ef)' 



(B6) 



Let the fidelity between p^ {\^f)) ^^^^ Pb {\ef)) be 
F {p^ (|e/)) ,pf (|e/))). Then, the probability P.-^J?"" 
that Bob finds an inconsistency in his data is given by 



Ati 



= l-|^(p"(|e/)),pf(|e/)))| 



P. 



Under the condition of Eq. (|B3[), it follows that 



(B7) 



{r'\ef){efHn = ^TrAB\ef){ef\PM 



(B8) 



TrB{ef\r''){r''\ef) 



> -^Ttab 

I AB\ 



\ef){ef\PM, (B9) 



where Pm = |0^'^)(0^^| -I- is the projec- 

tor onto two-dimensional subspace M in Hab that is 
spanned by a set of orthonormal states {jO"^^) , [l"*^)}. 
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AB 



and TrAB\ef){ef\PM = (O 
(I'^^le^) (e^ll-^^) is the overlap between the state \ ef) 
in Ha and subspace M. The equal sign in inequality (|B9| ) 
holds if and only if state 1^"^^) lie s wi thin subspace M. 
From Eqs. and we obtain 



[20] L. Goldenberg, L. Vaidman, and S. Wiesner, Phys. Rev. 
Lett. 82, 3356 (1999). 



\F{p^{\ef)),p^{\ef)))\'<\{r^\i,n\ 



(BIO) 



Applying Eq. OBld) to Eq. (B7), we finally obtain 



err — 



(Bll) 



Here, equality holds if and only if the state \'4'^^) lies 
within subspace M . 
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